Krebs on Security

In-depth security news and investigation

Deconstructing the $9.84 Credit Card Hustle

Over the holidays, I heard from a number of readers who were seeing strange, unauthorized charges showing up on their credit and debit cards for $9.84. Many wondered whether this was the result of the Target breach; I suppose I asked for this, having repeatedly advised readers to keep a close eye on their bank statements for bogus transactions. It’s still not clear how consumers’ card numbers are being stolen here, but the fraud appears to stem from an elaborate network of affiliate schemes that stretch from Cyprus to India and the United Kingdom.

One reader said the $9.84 charge on her card came with a notation stating the site responsible was eetsac.com. I soon discovered that there are dozens of sites complaining about similar charges from similarly-constructed domains; for example, this 30-page thread at Amazon’s customer help forums includes gripes from hundreds of people taken by this scam.

I did a bit of digging into that eetsac.com domain, ordering a historic WHOIS report from domaintools.com. The report shows that the domain eetsac.com was originally registered using the email address walter.kosevo@ymail.com. Domaintools also reports that this email address was used to register more than 230 other sites; a full list is available here (CSV).

A closer look at some of those domains reveals a few interesting facts. Callscs.in, for example, is a Web site for a call center and a domain that has been associated with these $9.84 fraudulent charges. Callscs.in lists as its local phone number 43114300. That number traces back to a call center in India, Call Connect India, Inc., which registers its physical address as Plot No 82, Sector 12 A, Dwarka. New Delhi – 110075.

The next site like that one on the list — cewcs.com — references the domain insiderwebeducationpro.com, another domain on the list of sites registered to that ymail.com email address. The homepage of insiderwebeducationpro.com lists the following contact information:

A search at companieshouse.gov.uk, a government site which maintains records about companies based in the United Kingdom, turned up incorporation records (PDF) showing that Lasorea Ltd. was founded in January 2013 by Emil Darbinian, a 28-year-old self-described accountant from Nicosia, Cyprus. Other records searches on Mr. Darbinian indicate he owns at least two other companies at the same address, including Testohealth Labs. Ltd — which appears to be a software company — and a firm called Levantos Venture Ltd. Mr. Darbinian did not return messages seeking comment.

Another domain on the list — etosac.com — is listed as the support and billing site for webtutorialpro.com, a site which bills itself as an “affiliate learning system.” In fact, of the 235 domains registered to walter.kosevo@ymail.com, all seem to be either affiliate programs of one kind (diet pills, work-at-home) or support/call center sites.

Dozens of sites like this one are the apparent source of the $9.84 charges.

Webtutorialpro.com lists on its homepage a company named Lukria, Ltd., and an address at the same London business park as Mr. Darbinian’s companies. If we step through the signup process to become an affiliate at Webtutorialpro.com, we can see that everything — from the “online store in a box” to “pay per click extreme” and the tutorial on “how to get FREE web traffic — all retail for….wait for it….$9.84!

Lukria, according to incorporation documents (PDF) purchased from companieshouse.co.uk, was created on the same day as Lasorea Ltd., and lists as its director a Sergey Babayan, also from Cyprus. According to the Facebook pages of both Mr. Darbinian and Mr. Babayan, the two men are friends. Mr. Babayan has not responded to requests for comment.

Mr. Babayan’s Facebook profile says he works at a company called Prospectacy Limited, which LinkedIn says is an accounting firm in Nicosia, Cyprus. According to Prospectacy’s Web site, this company specializes in “corporate services,” including “company formation,” “banking,” and “virtual office” services. The company seems to be in the business of establishing offshore firms; according to a reverse WHOIS record lookup from domaintools.com, the email address used to register Prospectacy’s domain also was used to register at least ten other domains, including registerincyprus.com, registerinuk.com, setupincyprus.com and setupineu.com.

A number of these affiliate sites include on their home page links to credorax.com, a Southborough, Mass. based acquiring bank Malta-based acquiring bank that is in the business of processing credit and debit card payments for merchants. It’s not clear whether either cewcs.com or insiderwebeducationpro.com use Credorax Inc. for payment processing, but it seems to suggest that by association. I reached out to Credorax to learn whether this site (and perhaps others that are the subject of this story) are customers, and will update this story if I hear back from them.

Update, 12:43 p.m. ET: I heard from Michael Burtscher, vice president of acquiring risk and fraud management at Credorax. Burtscher clarified that his company has offices in the U.S. but is based in Malta. Burtscher confirmed that Credorax had until recently helped to process cards for the network of sites named in this story, but that the company has severed that relationship. He declined to say when exactly the relationship ended, or indeed whether my information about the client’s identities was accurate. Burtscher would only say that Credorax terminated its relationship with the client in response to consumer complaints about the fraudulent charges. “This was one of those cases where when we onboarded them it looked like a legitimate account, but when we saw there were issues we decided to take action.”

Original story: If I had to hazard a charitable guess about what is going on here, I would say some ambitious “affiliates” associated with these moneymaking schemes were abusing the system and pushing through charges on stolen credit cards. But it is difficult to escape the conclusion that this is little more than an elaborate (and probably successful) scam set up to steal little bits of money from lots and lots of people.

By the way, this is not a new type of fraud, nor is this particular fraud a recent occurrence — although the bogus $9.84 charges do appear to have spiked around the holidays. Most of the domains involved in this scheme were registered a year ago or more, and a quick search on the amount $9.84 shows that the fraudsters responsible for this scheme have been at it since at least the first half of 2013.

If you see a charge like this or any other activity on your credit or debit card that you did not authorize, contact your bank and report the fraud immediately. I think it’s also a good idea in cases like this to request a new card in the odd chance your bank doesn’t offer it: After all, it’s a good bet that your card is in the hands of crooks, and is likely to be abused like this again.

In the hopes that my listing them here makes this scam less successful, here are a bunch more domains apparently involved in this scam:

Update, Jan. 15, 5:46 p.m. ET: An earlier version of this story incorrectly stated that the domain profcs.com was associated with this scam; the correct domain is profcs.in. The above story has been modified. I regret any confusion this may have caused.

This entry was posted on Monday, January 6th, 2014 at 12:35 am and is filed under A Little Sunshine, Breadcrumbs.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Yesterday, I was advised by my credit union that my credit card was compromised. Someone apparently used a clone of my card (my card is still in my wallet) at a Home Depot store in Pittsburgh. I don’t know how or where my card was cloned, but I only has about three purchases on it prior to the fraud.

Credit Card Secret. Nobody in the U.S. (not even the President or Congress) can stop credit card theft. The system design (JTC 1/SC-17, blueprints serving criminals) “owner” is the ISO and IEC; the U.S. representative is the ANSI. The design owners have no interest in considering the new U.S. technology which removed the theft-enabling identity factor from the system.

Why doesn’t it get any media coverage when it’s THE BANK that is stealing? It’s been a few years, but I was banking with one of the 3 biggest banks. I noticed a charge for a VERY SIMILAR amount to this scam ($9.95? $9.99?) each and every month. I didn’t even get to finish my sentence once I had shared the description from my statement – they offered to remove all the charges going back 5 or 6 months INSTANTLY. It was the SAME concept: it’s small, no one will notice. If they do notice, just give it back right away.
There are probably a great many people in prisons right now wishing they could have just given back what they stole and forget the whole things.

I tell people one security option is to go online to their bank, credit union and even brokerage firm websites and set alerts. I get an email alert whenever there’s a charge to my card more than a dollar, any foreign transaction occurs, there’s a wire transfer out of my account, etc.

What bothers me about this scam is that Chase Bank has reversed the charge and issued me a new card, however Chase will not discuss the circumstances on how/why the fraudulent charge was made, or offered any advice on how to protect myself from falling prey to the same type of scam in future. In other words, Chase itself is doing nothing to monitor these fake charges and if I hadn’t noticed the charge myself the fraud would have been successful. By implication Chase is therefore culpable, since Chase must have the same info that the author of this article has. In times gone by, some enterprising attorney would take this on Chase with a class action and sue Chase for the sum of the damages; unfortunately 9.84 times a few thousand will not pay the average attorney’s freight, besides the fact that most attorneys are owned by banks and corporations anyway.

Same thing with American Express. No information about what fraudulent activity they have noticed on your card. Notification of the cardholder seems to be for the sole purpose of covering the bank’s/card company’s ass (as in we notified you) but then not being forthcoming about any information which might help you locate a skimmer, criminal employee where you shopped, etc.

BTW – IF you use iTunes in any way to make purchases – be sure and look at your DETAILED charges. Apple makes it easy to charge things, but damn hard to trace down the details of what you have been charged.

I am in the middle of a mess now in which I looked at some “free” episodes of new TV series and then somehow was charged for complete seasons at $38-40 per. CHECK YOUR BILL.

Thank you for following through on this informative story.
Job lead boards are also a huge scam. Some job boards are gleaners for on-line schools not actual employment leads it is fake. One job board will have you upload your resume, apply online for the job, and now you have to have a back ground check, it sends you to a credit reporting link, AHHHH but for a monthly membership fee and just give the supposedly interested employer your access code to review your credit history as part of a back ground check. Then when you call to cancel the membership they try to talk you out of it. There is just one scam after another

I had a GM credit card through MiGros Market in Switzerland. My child used it once online to play a game called GameForge, but the card was charged by several on-line sources from Germany, Malta, USA,…… The card was even charged twice for the same item with the same item number. When I saw that, I contacted the credit card company. They said I had to fill out a form….. But my child already made the payment at the post office. After I filled out the form, etc., the GM credit card in Switzerland told me that it was too late since the payment was alreay made. Obviously these on-line charges were fraudulent, but what could I do under the circumstances? The credit card company did not want to do anything since they received the payment. Later on, this card was stolen together with all other cards in my bag by organized thieves in Geneva train station area, so I had to cancel all the cards stolen. The GM card told me I had to pay 15 Swiss Francs to get a new card, which I did not want to pay, so I just stopped using the card. Recently when I inquired about possibility to get a loan, I was told that this GM card company in Switzerland put a note in my credit card history that they are waiting for payment, making it impossible for me to apply for a small loan.